Missing quotes around string in decompilation, with E4X @foo

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
10 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

(Blocks: 1 bug, {testcase})

Trunk
x86
Mac OS X
testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
js> function() { (@foo += 1)("a b c"); }
function () {
    (@foo += 1)(a b c);
}
Created attachment 258266 [details] [diff] [review]
Another missing inXML = JS_FALSE

I suspect pretty much all the bugs that hit the JSOP_ADD assertion are due to bad inXML logic.  This particular one looks like inXML needs to be reset for JSOP_BINDXMLNAME.  A slightly simpler (bytecode-wise) testcase:

function() { @foo = "5";  return "a\\b"; }

Also, some other testcases which work with latest trunk:

function() { @f(); "a\\".length; } // suspect this one was broken before today
function() { n::b(); "a\\b".length; }
function() { * = "5"; "a\\b".length; }

Do we have any sort of descriptions anywhere of exactly how the E4X bytecodes combine to produce correct logic, other than as the source code?  I can use dis and play whack-a-mole all I want, but it seems it'd be better/faster to refer to documentation of bytecode semantics and fix all these bugs at once.
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
Attachment #258266 - Flags: review?(mrbkap)
Comment on attachment 258266 [details] [diff] [review]
Another missing inXML = JS_FALSE

This is fine, but see bug 373595 for more whack-a-mole fun. I wonder if it's worth coming up with a better way of tracking this stuff (if one exists).
Attachment #258266 - Flags: review?(mrbkap) → review+
(Reporter)

Comment 3

10 years ago
WFM.
Fixed by patch for bug 372564 as well -- waldo pls. confirm by marking FIXED.

/be
(Reporter)

Updated

10 years ago
No longer blocks: 349611
(Reporter)

Updated

10 years ago
Blocks: 349611

Updated

10 years ago
Blocks: 246441
These bugs are all part of a search I made for js bugs that are getting lost in transit:

http://tinyurl.com/jsDeadEndBugs

They all have a review+'ed, non-obsoleted patch and are not marked fixed-in-tracemonkey or checkin-needed but have not seen any activity in 300 days. Some of these got lost simply because the assignee/patch provider never requested a checkin, or just because they were forgotten about.
Assignee: jwalden+bmo → general
WFM too.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.